[Lxc-users] Questions regarding LXC and nsenter
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Dec 6 22:28:55 UTC 2013
Quoting Ranjib Dey (dey.ranjib at gmail.com):
> Hi,
> Apologies in advance if im asking something stupid.
> Im trying to use nsenter with lxc. it works fine with systemd-nspawn based
> containers, but not with lxc based containers. Im using ubuntu 14.04 and
> nsenter from util-linux 2.24 and lxc 1.0.0alpha3. From whatever i can
> search /read in internet, this does not work, but im trying to understand
> why. i can see the /proc/CONTAINER_PID/ns/* entries, and if i understand
> correctly nsenter uses this information to execute commands. Whats I am not
> able to understand is that nsenter executes successfully but inside the
> container it shows the host os , with all privileges. i have tried
nsenter won't change yoru apparmor profile or probably set your caps,
so 'with all privileges' is expected unless you are using a user ns.
not sure what you mean by 'shows the host os'. You mean / is the host's
/? that could be due to the fact that we don't chroot but rather
pivot_root, maybe nsenter doesn't account for that.
> explicitly specifying the containers rootfs and root directory or working
> directory in nsenter, but that does not fixes the problem.
>
> I read couple of mailing list archive on this, and it was recommended not
> to use nsenter against lxc. If anyone can explain why this is so (or give
> some pointers to resources that can explain this), that will be very
> helpful.
It should 'work' in that it should change your namespaces, but
nevertheless I'd recommend using lxc-usnhare instead of nsenter.
-serge
More information about the lxc-users
mailing list